chris apgar, cissp president, apgar & associates, llc december 12, 2007

Chris Apgar, CISSPPresident, Apgar & Associates, LLC

December 12, 2007

Balancing business & security Security & privacy not all technology Placement of privacy & security - Organizational oversight

Importance of risk analysis Other non-technical requirements Selling security Q&A

12/12/2007 2Apgar & Associates, LLC (c) 2007

DoD protection not required Risks are unavoidable Remember profitability Privacy & security solutions need to represent sound practice for the industry & the size & complexity of the organization


HIPAA security rule flexible – take advantage of flexibility

Expensive tools not always best protection

Business needs to adopt security culture

Users need to be involved – greatest risk area


HIPAA security rule – more than 1/3 administrative security

Technology section not predominant section – support to administrative security

Physical security may involve technology but often involves old fashioned keys & fire extinguishers


Privacy requires appropriate security but not necessarily technically specific solutions

Privacy (and security) more people focused

Technology important but needs to support needs of the business and sound administrative/physicial security requirements


Examples:◦Access control administrative safeguard◦Audit administrative & technical

safeguard◦Risk analysis administrative safeguard◦Disaster recovery/emergency mode

operations plans◦Training◦Policies & procedures


Examples (continued):◦Patient privacy rights – primarily paper

interface◦Privacy covers non-electronic & many

providers continue to rely on paper charts (even after EHR implementation)

◦Appropriate application security (e.g., EHR, bio-medical devices, PHR, etc.) lacking in today’s applications

◦Secure e-mail relies on sender & recipient


Variations between organizations – who is appointed privacy and security officers (no matter the size)

Generally security reports to IT Frequently privacy officer training lacking

Frequently security officer non-technical training lacking


Authority & responsibility of privacy & security officers vary between organizations◦Sometimes “only because HIPAA requires

it”◦Too often positions lack authority to

force/effect change◦Often responsibility exceeds authority◦Important findings/risks overlooked


Privacy & security officers organizational placement vary

Placement in organization needs to consider position effectiveness and perceived neutrality

Positions need to be view as positions of trust


Appropriate placement of privacy officer in organization:◦Compliance office◦Legal◦CEO/president◦Senior executive with cross-organization

responsibilities/authority


Appropriate placement of security officer in organization:◦Compliance office◦Legal◦CEO/president◦Senior executive with cross-organization

responsibilities/authority◦Not CIO


Positions need to be visible in positive way

Heavy visible engagement in audits, risk analysis, policy/procedure development, etc.

Interaction with local, state, federal standards development projects & bodies required


HIPAA security rule requires risk analysis conducted regularly

Foundation for security program:◦Risk identification & mitigation◦Policy & procedure development/

amendment◦Disaster recovery/emergency mode

operations plan building block◦Audit criteria development◦Workforce training content & requirements


Conducted at least annually or when any major system or business change occurs

Most health care organization haven’t conducted risk analysis since security rule effective date

Risk analysis reflects environmental, technical, business, etc. changes which don’t stop


Most health care organizations conduct qualitative or combined qualitative/ranking risk analysis

Frequently risk analyses not standardized within organization

Security controls evaluated often not technical

Lack of follow through/mitigation an issue


Organizations miss value – data collected during sound risk analysis applicability to other standards & processes

Security officer – educational role Need to know business and assist in identifying risks to mitigate and risks to accept


Balance identified risks between security, privacy & business needs

Risk analysis should be globally rather than technically focused

User involvement required – employees often know of risks before management

Match perception with reality


Risk management ties it all together Proper training key to successful security & privacy program

Remote users represent significant non-technical threat

Physical security – protect the infrastructure


People most significant threat Role based access control – appropriate, tracked and enforced

Trading partners & business associates – inter-organizational agreements/contracts

Legal requirements (state, federal, case law)


Security/privacy incident response Breach notification requirements Trust building between organizations and consumers

Non-electronic data management Document/data retention & destruction (FRCP, HIPAA, etc.)


ROI difficult to sell/demonstrate Package as insurance policy Identify damages caused by lax security◦Regulatory compliance◦Liability◦Business reputation◦Economic loss – trust, trade secrets, etc.◦Lost data can bring down business


Keep horror stories to a minimum Senior management – focus on non-

technical risks (what will it cost in damages)

Too much tech talk leads to glazed eyes Tie directly to business (must know the

business) Clearly map to the risks (the value in

pictures)


Be reasonable – remember organization size, complexity and financial viability

Sell phased security/privacy Rely on fact & accurate business impact Clearly spell out costs:

◦ Solution cost (acquisition, installation, maintenance)◦ Staff support requirements (implementation &

maintenance Be prepared to negotiate


Chris Apgar, CISSPPresident

chris apgar, cissp president, apgar & associates, llc december 12, 2007

Documents